-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache is much more secure by default. Roll out default installs of apache and IIS. Go through the SF archives. See which one has more advisories and exploits out.
Sorry to play devils add because Charles makes a very good point in closing " They are both vulnerable unless hardened and protected." True but it is the degree of vulnerability. Since security is about risk mitigation and dealing (living?) with an acceptable amount of risk I would sleep better at night with Apache (yet in a twist of irony I run IIS but this because I know how to harden it). Default "out-da-box" Apache takes the cake for more secure. Hands down. Cheers, Leon - -----Original Message----- From: Hornat, Charles [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 2:03 PM To: 'Baba Bogdan'; [EMAIL PROTECTED] Subject: RE: IIS I recently read a statistic that said apache is hacked more than IIS web servers. and I have also seen statistics go the other way. I did a quick search in google to try and see if I could find a solid believable statistic, and was unsuccessful. I found many individuals stating facts without citing their references. Besides this, Does it really matter what web server you choose? I have worked with many and would answer this with, the system is as secure as the administrator of that system is knowledgeable. I know administrators who can secure an IIS server and others who can secure Apache. Its like asking which os is the most secure? There isn't really an answer. I am doing a study right now on OS's, and which are the most secure out of the box and out of the box with the latest security patches applied. The study consist of operating systems like Solaris 6 and 8, redhat, windows and so on. We are using the latest nessus and nmap to scan the boxes and will be writing our findings up on each os. Lets face it, Apache isn't more secure than IIS. They are both vulnerable unless hardened and protected. Charles ________________________________________________________________ The information contained in this message is intended only for the recipient, may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPD2udtqAgf0xoaEuEQI+RQCfTT5Jkit7p24HIgB5KdPu+Gf2YX0AoMfO py09ZALs47nD/m5d+VYYyYyA =FwQ3 -----END PGP SIGNATURE-----
